diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2017-07-08 21:02:36 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2017-07-08 21:02:36 +0200 |
commit | 8cdd29841d0dbb89e866aad36173bb26182d0c97 (patch) | |
tree | 257e918f4af3bd68555276d7f19a0d3d0deea589 | |
parent | 8349b801a5f7e5f11b0a758d7ab28d8b79eb08ea (diff) |
Bind webserver to /var/run/lacme-www.socket by default.
-rw-r--r-- | Changelog | 2 | ||||
-rw-r--r-- | config/lacme.conf | 2 | ||||
-rwxr-xr-x | lacme | 2 | ||||
-rw-r--r-- | lacme.md | 4 | ||||
-rw-r--r-- | snippets/apache2.conf | 2 | ||||
-rw-r--r-- | snippets/nginx.conf | 2 |
6 files changed, 7 insertions, 7 deletions
@@ -5,7 +5,7 @@ lacme (0.3) upstream; + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain - socket by default </var/run/lacme.socket>. + socket by default </var/run/lacme-www.socket>. + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the diff --git a/config/lacme.conf b/config/lacme.conf index 874bb1f..3cc1b34 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -62,7 +62,7 @@ # Comma- or space-separated list of addresses to listen on, for instance # "0.0.0.0:80 [::]:80". # -#listen = /var/run/lacme.socket +#listen = /var/run/lacme-www.socket # Non-existent directory under which an external HTTP daemon is # configured to serve GET requests for challenge files under @@ -97,7 +97,7 @@ do { map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, webserver => { - listen => '/var/run/lacme.socket', + listen => '/var/run/lacme-www.socket', 'challenge-directory' => undef, user => 'www-data', group => 'www-data', @@ -232,12 +232,12 @@ served during certificate issuance. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). - Default: `/var/run/lacme.socket`. + Default: `/var/run/lacme-www.socket`. **Note**: The default value is only suitable when an external HTTP daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket - `/var/run/lacme.socket` (for instance using the provided + `/var/run/lacme-www.socket` (for instance using the provided `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration snippets for each virtual host requiring authorization). If there is no HTTP daemon bound to port 80 one needs to set *listen* to diff --git a/snippets/apache2.conf b/snippets/apache2.conf index 471791c..20bf2ad 100644 --- a/snippets/apache2.conf +++ b/snippets/apache2.conf @@ -5,7 +5,7 @@ # non-ssl one) of each virtual host requiring authorization. <Location /.well-known/acme-challenge/> - ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/ + ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/ Order allow,deny Allow from all </Location> diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 6753ff9..981bdc3 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@ location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component - proxy_pass http://unix:/var/run/lacme.socket; + proxy_pass http://unix:/var/run/lacme-www.socket; ## Alternatively, you can let nginx serve the requests by ## setting 'challenge-directory' to '/var/www/acme-challenge' in |